Home » Cloud » Securing Web2Lead

Securing Web2Lead

Salesforce.com provides a very useful feature called Web2Lead to enable Lead generation via a web page.
When you enable Web2Lead, Salesforce generates an HTML code as follows:

<!--  ----------------------------------------------------------------------  -->
<!--  NOTE: Please add the following <META> element to your page <HEAD>.      -->
<!--  If necessary, please modify the charset parameter to specify the        -->
<!--  character set of your HTML page.                                        -->
<!--  ----------------------------------------------------------------------  -->

<META HTTP-EQUIV="Content-type" CONTENT="text/html; charset=UTF-8">

<!--  ----------------------------------------------------------------------  -->
<!--  NOTE: Please add the following <FORM> element to your page.             -->
<!--  ----------------------------------------------------------------------  -->

<form action="https://www.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8" method="POST">

<input type=hidden name="oid" value="<Your_Org_Id>">
<input type=hidden name="retURL" value="http://www.salesforce.com">

<!--  ----------------------------------------------------------------------  -->
<!--  NOTE: These fields are optional debugging elements. Please uncomment    -->
<!--  these lines if you wish to test in debug mode.                          -->
<!--  <input type="hidden" name="debug" value=1>                              -->
<!--  <input type="hidden" name="debugEmail"                                  -->
<!--  value="agaikwad@yahoo.com">                                    -->
<!--  ----------------------------------------------------------------------  -->

<label for="first_name">First Name</label><input  id="first_name" maxlength="40" name="first_name" size="20" type="text" /><br>

<label for="last_name">Last Name</label><input  id="last_name" maxlength="80" name="last_name" size="20" type="text" /><br>

<label for="email">Email</label><input  id="email" maxlength="80" name="email" size="20" type="text" /><br>

<label for="company">Company</label><input  id="company" maxlength="40" name="company" size="20" type="text" /><br>

<label for="city">City</label><input  id="city" maxlength="40" name="city" size="20" type="text" /><br>

<label for="state">State/Province</label><input  id="state" maxlength="20" name="state" size="20" type="text" /><br>

<input type="submit" name="submit">


This is an HTTP Post Request sent to servlet having a URL https://www.salesforce.com/servlet/servlet.WebToLead.
Notice that there is no authentication performed. So how does this servlet know that the user inserting a
lead is authorized to do so?
In fact while investigating a problem of unexpected leads appearing in Lead object with unexpected owner id,
I noticed that just knowing an Organization Id is enough to insert a lead.
So how does it pose a security problem?
Imagine that a disgruntled ex employee who knows the Organization Id. If he or she decides to play mischief,
he can write a very simple script which sends HTTP post request to insert millions of phony leads.
How to prevent this?
Obviously one of the request parameters must include some token which is validated before inserting the lead.
This token must be stored within salesforce.com and configurable by the System Admin.
Since only salesforce.com internal team has access to servlet code, only they can make this change.



  1. Or you could just “disable” web-to-lead and use an app that creates the leads via the API (there are a number of plugins for different CMS that do this already). But then whats stopping them hiring a load of people (or even themselves) to post the form over and over again? even the token doesn’t stop that.

    Or you could create your own token to put into the form, then when the lead comes into salesforce you can check to see if the token is valid and if not delete the lead. To call it a security issue is a bit of a stretch of the imagination.

  2. Also I wouldn’t put business logic like owner id in the web-to-lead, its harder to change later on its better to use lead assignment rules and workflow field update rules instead.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: